Posts

Major cyber attack likely to happen this year, experts say

It's no secret that the U.S. is currently vulnerable to a debilitating online attack. But many top IT security professionals have predicted that something catastrophic is coming – and it could happen in 2013. 

"Spear phishing." 

It sounds kind of silly – the sort of phrase used to make these dramatic events even more sensational. But it's a real threat, and it skewered our gas pipeline systems repeatedly last year, as infiltrators scoured for information and wreaked all sorts of structural havoc. And that could be just the beginning.

Before the parade of high-profile hacks of the last few weeks, industry experts were already foreseeing a huge cyber security disaster. In January, the conference of the Information Systems Security Association sent a survey to IT gurus asking about the current strength of American online safety. Without specifying exactly which kind of disaster would occur, members of the conference were asked if they thought a major act of cyberterrorism could happen soon. The results were chilling, though unsurprising for anyone who's been paying attention: 79 percent of those surveyed said that a significant attack on our infrastructure will occur this year, and nearly 60 percent believed the government should step up and make more of an effort to keep Americans safe.

Polled members were a little more divided on where they thought the attack was most likely to strike. Some said it would target a financial organization, while others said things like oil, or even the sewage systems, could be commandeered. But the majority chose electricity, saying that our power grid is particularly vulnerable (better hope the hackers don't read Ars Technica).

Threats to our cyber security could come in all sorts of forms: power shutoffs, bank closings, air traffic control interference or something we haven't even considered. The world is slowly starting to wake up to the danger posed by such data security breaches, but we have a long way to go if we hope to keep a grip on our information – not to mention our basic utilities.  

John Sileo is a data security expert and keynote speaker on social media privacy and risk management. His clients included the Department of Defense, Pfizer, and Homeland Security. See his recent work on 60 Minutes, Anderson Cooper and Fox Business.

Jeep jacked and Burger King busted as company Twitter feeds get hacked

So far, 2013 has been the Year of the Hack, as the past few weeks have proven positively lousy with big-name security breaches. 

Social networks, news outlets, and now…jeeps and fast food? That’s right, recent events have seen two prominent businesses get their Twitter accounts hacked, and worse. Not only did identity pirates shanghai the feeds (and therefore the reputations) of Burger King and Jeep, they used this illegal access to send embarrassing and scandalous messages to their followers.

Last Monday, @BurgerKing began tweeting that it had been sold to McDonalds, changing its image to a golden arches logo and posting ridiculous, wildly provocative comments about rappers and mad cow disease. The same thing happened to Jeep the next day, when its account claimed it had been sold to Cadillac and that its CEO had been fired for doing drugs.

The incidents had huge and bizarre repercussions. Many users tweeted quips about how hackers “had it their way” with the fast food giant. Actually, if the plan was to send people away from the burger chain, it backfired: Burger King now has 30,000 new followers and tons of media attention. In fact, soon after MTV and BET actually pretended to have been hacked, apparently just for the publicity.

Burger King’s well-managed response is a fantastic example of a corporate character trait I call repetitional jujitsu – using negative digital events to your competitive advantage. If you think that BK’s response was accidental, or casual, think again.

Despite the silver lining for the company, this is an alarming series of events. It may seem funny now, but will you be laughing when strangers start using your digital reputation for a prank?  

In response to this, Twitter is determined to make its system more secure by implementing use of the email authentication system DMARC, which will hopefully limit hackers from using false emails to gain private information. While this will help, only time will tell how much difference it actually makes.

It may seem trifling, but your digital reputation is vital to how you’re perceived in the offline world. Proper social media risk management is the key to combating such attacks, and its best to take it to heart before someone makes you the next big online joke.

John Sileo is a social media reputation expert and keynote speaker on online identity and risk management. His clients included the Department of Defense, Pfizer, and Homeland Security. See his recent work on 60 Minutes, Anderson Cooper and Fox Business. 

Facebook Exposed (By Humans) to Vicious Strain of Malware

,

Viruses are the biological weapons of the internet: once someone gets infected, it's only a matter of time before the contagion starts to spread. Even a social media giant like Facebook isn't immune to the kinds of digital "superbugs" that cause data security breaches.

You would think that corporate titans – with their advanced defenses – would be most immune to the effects of malware,  but the reality is that the bigger the service provider, the more vulnerable it can be to hackers and cybercriminals. Recently, we saw Twitter get hit with a massive hack that targeted the data of a quarter-million people.  Now, Facebook has been victimized by a vicious strain of software. 

Last Friday, Facebook security posted a statement on its blog detailing what it called a "sophisticated attack" on its system that occurred in January.  

"This attack occurred when a handful of employees visited a mobile developer website that was compromised," the post said. "The compromised website hosted an exploit which then allowed malware to be installed on these employee laptops."

The key phrase here is "handful of employees," which reminds us that the solution to the problem isn't only technological, but human in scope.

Disturbingly, all of this happened even though the users accessing this website had complete anti-virus protection. The malware was so advanced, it was able to hijack the Java protocols normally set to fight against situations like this. I'm curious to know whether or not the malware would have been avoided had the handful of employees been trained on sophisticated social engineering and spear-phishing schemes.

Facebook has stressed that no user data appears to have been compromised, and that the malware responsible was treated as of this month. While this is good news, it doesn't hide the fact that this could happen to anyone, regardless of what you think your level of immunity is. In the meantime, Facebook's troubles are a reminder that hackers can play tug of war with your online reputation at anytime, and you might not know who won until it's too late.

Social media exposure is always there, hovering just out of sight. To protect yourself, consult a data security expert to ensure your people are as updated on scams as your anti-virus protection is. Otherwise, you might wake up one morning with your information available to others – a common symptom of those affected by a data breach.

John Sileo is a data security expert and keynote speaker on social media privacy and risk management. His clients included the Department of Defense, Pfizer, and Homeland Security. See his recent work on 60 Minutes, Anderson Cooper and Fox Business.

China Hacks Wall Street Journal. Is Your Business Next?

Quick! Name a major international newspaper that wasn’t hacked last week. It might be harder than you think.

Last Wednesday, The New York Times announced on its front page that it had been hacked over the course of four months by state-sponsored cyber criminals in China. The Times said that Bloomberg News had also recently been targeted. The following day, The Wall Street Journal said it too had been infiltrated by Chinese hackers. Next up was the Associated Press, acknowledging similar data security breaches.

According to The Times, it was breached thanks to a spear-phishing attack, at which point the hackers uploaded an array of malware to the company network and started stealing email passwords of reporters, editors and other employees.

This all stems from an October 2012 story written in the paper about the family of the Chinese prime minister quietly amassing a multi-billion-dollar fortune in recent years. Apparently, they were looking for sources used in the investigation that might be revealed in the email accounts of Times reporters and editors.

There is a frightening paradigm shift that seems to have happened in the blink of an eye, but in reality has been ongoing for a while now. State-sponsored cyber attacks are more common than most would think, and if a foreign country thinks it can gain an advantage over the U.S. by weakening businesses and entire industries, in addition to monitoring media outlets and exposing confidential sources of journalists, everyone should be concerned.

Ultimately, you can have all the latest high-tech security measures in place, but they won’t mean anything when a simple mistake made by an employee opens up a hole in your defenses big enough to drive a truck through. Password and data risk management, ways to spot and avoid phishing emails, what type of information you shouldn’t store in online accounts – these are just a few of the things employees must be educated on.

You can build a moat around your business, but if a trusted employee accidentally lowers a drawbridge, don’t think for a second nefarious individuals won’t rush right in.

John Sileo is an data security expert and keynote speaker on social media privacy and risk management. His clients included the Department of Defense, Pfizer, and Homeland Security. See his recent work on 60 Minutes, Anderson Cooper and Fox Business.

Data security dealt another body blow as Twitter gets hacked

About 250,000 Twitter accounts may have been hacked last week. Was yours one of them?

On Friday, the company announced via its official blog that it has reset the passwords for those users after a breach was detected in which email addresses, usernames and encrypted password data may have been accessed by hackers.

The blog post was quick to point out that other companies such as The Wall Street Journal and The New York Times have recently fallen victim to data security breaches as well, though those attacks appear to have been state-sponsored (check back here tomorrow for more on those breaches).

There has been no indication as of yet that the infiltration of Twitter was related to those incidents. However, Bob Lord, the company’s director of information security and author of the blog post, said he does not believe this was an isolated event, and that the attack was sophisticated and not “not the work of amateurs.”

Lord also suggested that users disable Java in their Web browsers, seemingly suggesting that some of the blame for the Twitter breach could lie there.

The bottom line is that the methods used by hackers, whether independent or state-sponsored, are becoming increasingly sophisticated. Are you taking the necessary steps to ensure that your employees are aware of how serious data security and social media risk management are? Are you absolutely certain that no one is using the same password for their personal Twitter account as they are for their login to your company network?

All it takes is for one individual to either be too lazy to care or uninformed, and your whole company could end up paying the price. Seeking out the advice of a data risk management expert is the best move one can make. In the meantime, try implementing a system where employees regularly change their company passwords in an effort to limit windows of exposure.

John Sileo is an data security expert and keynote speaker on social media privacy and risk management. His clients included the Department of Defense, Pfizer, and Homeland Security. See his recent work on 60 Minutes, Anderson Cooper and Fox Business.